The June 2017 Security Update Review

The start of summer brings with it a new crop of security updates from Adobe, Cisco, and Microsoft. This month’s patches show us all that is old is new again, so dive in with us and see which patches feel new and which seem like a summer re-run.

Adobe Patches for June 2017

For June, Adobe released three Critical- and one Important-rated updates for Adobe Flash, Shockwave, Captivate, and Adobe Digital Editions. The most impactful of these updates the patch addressing nine bugs in Adobe Flash, four of which were submitted by the ZDI. The bugs fixed include memory corruption and use-after-free (UAF) problems in Flash. While the update does receive the highest severity rating, Adobe reports there are no indications of active attacks using these CVEs. The update for Shockwave also addresses a single memory corruption issue. Like the Flash update, it is rated Critical and not listed as under active attack.

The update for Adobe Digital Editions fixes a total of nine CVEs, four of which are rated as Critical memory corruption issues. The other CVEs here include three Important-rated library loading issues and two Important-rated stack overflows. The final Important-rated bulletin addresses one input validation issue in Captivate that could lead to information disclosure. These bulletins were also not listed as being under active attack.

Cisco Patches for June 2017

Last week, Cisco released a noteworthy patch for its Data Center Network Manager. It seems a debugging tool was inadvertently enabled on the product, and this tool could allow a remote attacker to execute code as a root user. If you have Nexus, NX-OS, or MDS SAN switches in your enterprise, this is definitely a patch that should be given high priority.

Microsoft Patches for June 2017

Unlike the small Adobe and Cisco releases, Microsoft released fixes for 96 CVEs this month for Microsoft Windows, Office, Skype, Internet Explorer, the Edge browser – 12% of these issues came through the ZDI program at some point. A total of 18 of these issues are rated Critical, 76 are rated Important, one is rated Moderate, and one is the rare Low severity rating. Some of these bugs were initially disclosed during this year’s Pwn2Own competition, but some bugs from the contest are still to be patched. Two of these bugs are under active attack while three are listed as publicly known. Enterprises should focus on these CVEs first.

This patch covers an RCE in the Windows OS through the Windows Search. If you aren’t familiar with it, the Windows Search Service (WSS) does communicate over the network through the Windows Search Protocol. According to MSDN, it “enables a client to communicate with a server that is hosting a WSS, both to issue queries and to enable an administrator to manage the indexing server.” This vulnerability allows a malicious SMB request to execute code on a target system. The update also states, “In an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.” That certainly reads like a wormable bug, albeit one that could possibly be contained within an enterprise. Either way, this is just the type of vulnerability favored by malware authors to create widespread chaos.

If you’re experiencing déjà vu reading the bug title, it’s certainly understandable. This type of vulnerability was used by the Stuxnet malware, then found again several years later through a ZDI program submission. While this latest patch may touch different parts of code, the exploit vector remains the same – remote code execution can occur if a specially crafted shortcut is displayed. In the case of Stuxnet, this was done with a USB thumb drive, but the LNK could also be hosted on a remote drive viewable by the target. If there is a positive note here, the exploit only allows for code execution at the logged-on user level – another reminder not to use administrative privileges for daily tasks. Interestingly, there have been reports that the Stuxnet LNK attacks were still prevalent as recently as April 2017, however these appear to be unrelated to this bug.

The patches for the publicly known bugs not under active attack shut down a couple of security feature bypasses and an information disclosure in Microsoft Edge. Although these issues might not seem as interesting as an RCE bug, closing these holes potentially increases the cost of exploiting an issue by making it harder for attackers to reliably execute their code. Anything that increases the difficulty for attackers is always welcome.

Last month we introduced our overview table and received some good reviews. We’ll keep including the table and will tweak it as needed. Here’s the full list of CVEs released by Microsoft for June 2017.

You’ll notice 45 of these bugs are related to information disclosure, and most of those reside in the Windows kernel. Like the publicly known Edge bugs, fixing these kernel info disclosures could raise the bar for an attacker to reliably execute code. Since many of these bugs do impact core OS files, they should be thoroughly vetted prior to widespread installation.

Microsoft released two advisories this month. The first provides the aforementioned Adobe Flash fix to Windows systems. The second applies defense-in-depth fixes for SharePoint Enterprise Server 2013 and 2016. A reboot shouldn’t be required for this, provided all SharePoint services are stopped prior to installing the patch.

Finally, don’t let the size of this release frighten you. While 96 CVEs certainly seems high in Microsoft’s new manner of accounting, many of these would have rolled together into one security bulletin. This means it would probably have ended up with a large release of around 14 bulletins, but nothing unprecedented. Only time will tell if this volume constitutes the “new normal” for Microsoft security patches.

Looking Ahead

The next patch Tuesday falls on the 11th of July, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!